Bug Description

By reading the terms of use, I have the feeling that data stored on Ubuntu One servers is not encrypted with a user cryptographic key. This concerns me as my data would be at the mercy of an attacker if the servers security is breached (or a Canonical operative gone mad for that matter ;-))

At UDS some ideas were discussed for encryption that provided a nice
intermediate solution - more protection than we have now, but not
crippling sharing, web ui, etc. I font know all the details, but maybe
someone else can describe the idea here.

> If Ubuntu One is planning to implement simple web gallery like
> Dropbox,
> then files can't be encrypted on the server.
>
> Encryption could may be toggled per-directory? The drawback is that
> all
> files in the directory would need to be retransmitted to the server
> when
> turning on/off encryption.
>
> --
> Data should be encrypted on the server
> https://bugs.launchpad.net/bugs/375289
> You received this bug notification because you are a member of Ubuntu
> One hackers, which is subscribed to Ubuntu One Client.
>
> Status in Ubuntu One Client: Triaged
>
> Bug description:
> By reading the terms of use, I have the feeling that data stored on
> Ubuntu One servers is not encrypted with a user cryptographic key.
> This concerns me as my data would be at the mercy of an attacker if
> the servers security is breached (or a Canonical operative gone mad
> for that matter ;-))
>

1. The Ubuntu One servers will encrypt each user's data with a key unique to that user, before storing it in Amazon's S3 service or any other scalable storage services we use. The point of this is that if there's a break-in to S3, there is no exposure of private data; and if one of the Ubuntu One storage API servers is compromised, there is a small exposure of private data, based on the users who were using that particular storage server at the time. It still means we need to keep the database of these encryption keys very very safe. We have facilities and procedures do that in the Canonical data centre, and this gives us one database that we need to keep secure and monitor very carefully.
We'll be making this change right away.

2. We'll integrate the Ubuntu One file storage that runs on desktops with the ecryptfs facilities in Ubuntu, so a user can choose whether a particular directory should be sent to the Ubuntu One servers in the clear (and be easily used for photo galleries and in a web-based file manager), or that it should be sent encrypted, so the Ubuntu One servers cannot read the contents of the files, but so that other Desktop machines that share ecryptfs keys can receive the files and read them. There will be some secure way of sharing keys among computers.
We've talked with people at UDS about this, but it's more complicated, so we won't be working on this for a while.

I suspect that many are aware of this already, but thought it worth mentioning for northa and others in a similar position. Encfs can layer encryption on top of Ubuntu One manually, and the setup is very straightforward. See this post by 'manosx' for further info:

I will be glad to have this option too. An option like
Store this folder through encfs with this password.

Currently I only use ubuntu one for small configuration files.
Before I use it for my pictures other such other folders, and therefore before I need a paying account, I need the possibility to encrypt.

For most files I store on ubuntu one, file sharing and web access are irrelevant.

I would like that directories could be marked as encrypted and have the contents of those directories encrypted on the client. Those directories could not be shared of course.

The key exchange to the registered hosts should ideally be done via something akin to a PGP-encrypted channel that ensures that the keys are never decrypted in the Ubuntu One infrastructure. In fact I might be better to use the infrastructure to merely establish a connection between key-ring applications that then negotiate exchanging private keys generated for these directories via a channel that is itself encrypted (either via PGP and existing keys or TLS).

For the web access I could only imagine browser plugins that allow client side de/encryption via the key ring management.

I think the idea of not having to trust the cloud by doing client-side encryption is essential. It would be awesome if this is integrated into Ubuntu One, a must-have for every cloud in my opinion.

I really like how Mozilla is doing this with Firefox Sync. You don't have to trust Mozilla since even they can not access your data. Also they give you the opportunity to run your own server [1] (would be nice if Ubuntu One Server was open sourced). See a great explanation on the importance of user data from one of the Mozilla devs at http://andreasgal.com/2011/05/02/user-data/

So must-have:
* Complete client side encryption without any possibilities for Canonical (or any intruder in Canonicals or Amazons network) to access your data

The best solution would be to have it on the client, e.g. in the list of folders/files synched a check box for encryption so the user could still be able to access over the Internet whatever files she needs and to encrypt the more important ones. If not on the client, it could be done on Nautilus, like the aforementioned script by manosx.

As an interim solution, I have been using encfs to mount my important directories on to .encrypted sub folders which I then select to be synchronized to Ubuntu One. In general this works rather well. Of course neither "locate" nor what ever indexing service "Dash" uses can find any of these files which makes those tools useless for the important files, but hopefully the real solution that is hopefully (again) being worked on, can solve this issue. (i.e. by placing and retrieving the index data for encrypted file systems on exactly those file systems.)

> As an interim solution, I have been using encfs to mount my important
> directories on to .encrypted sub folders which I then select to be
> synchronized to Ubuntu One. In general this works rather well. Of
> course neither "locate" nor what ever indexing service "Dash" uses can
> find any of these files which makes those tools useless for the
> important files, but hopefully the real solution that is hopefully
> (again) being worked on, can solve this issue. (i.e. by placing and
> retrieving the index data for encrypted file systems on exactly those
> file systems.)
>
> Unfortunately this seems to have fallen of the radar as I don't see
> any Ubuntu One related session in the Cloud track:
> http://summit.ubuntu.com/uds-q/track/servercloud/ or any encryption
> related session on the Desktop track:
> http://summit.ubuntu.com/uds-q/track/desktop/
>
> Maybe Steve Alexander could give us an update on what has happened so
> far and what still may need to be done.

Well I've been using encfs as well, and I'm quite happy with this
solution.

A pity the idea of somehow integrating this and making it more readily
available to people not able to configure and get the encfs option
working themselves has been shelved though.

I have personally fixed this problem by implementing client side encryption through encfs.
I suggest everybody to do the same, syncing online just encrypted documents, and uploading to a non encrypted folder the documents you want to share or you need to access from a web interface.

That's a bit annoying (especially when it comes to decrypt documents from your android phone) but it will make you sleep again :)

I use Ubuntu One as cloud, but my local systems use encfs to make sure everything in that cloud is encrypted/decrypted client-side.

This works well, but is 'fiddly' for non-tech users to set up so it would be nice to wrap this up better as a part of Ubuntu One.

Josef Andersson <email address hidden> wrote:
>This should be even more relevant in these NSA-times. I for myself will
>switch to a another provider thats has encryption, and I'll come back
>to
>Ubuntu One when this is fixed.